How to Detect and Rmove the TR/Crypt.ZPACK.Gen Trojan
Emails regarding an attached resume contains atrojan
Share: [removed][removed] [removed][removed]
1. Overview
A new trojan distribution campaign by email regarding a resume were intercepted by Ax3soft, the following subjects are possible:
1. Resume attached.
2. please find enclosed.
3. Please find attached.
4. Attached please find.
5. Here's the file you wanted.
6. I have attached the resume.
7. The new resume is attached
8. The resume document is attached
9. Please find my CV and cover letter attached.
10. You will find the resume attached to this email.
11. Please find attached my CV for your attention.
12. I've attched..I'm encoding..the latest figures for you.
13. Replace the old resume with the new one which is attached.
The email is send from the spoofed address and has the following body:
Attached please find.
Please take a look at the attached resume.
Resume attached
Replace the old resume with the new one which is attached
Please find my attached CV for your attention
Please review the attached resume.
You will find the resume attached to this e-mail.
The attachedZIP file has the name 50443cv.zip and contains the 16 kB large file cv.exe.
The trojan is known as TR/Crypt.ZPACK.Gen (Antivir), Gen:Trojan.Heur.FU.auW@a8ibIek (F-Secure), FakeAlert-DefCnt.d (McAfee), a variant of Win32/Kryptik.AJD (NOD32).
Create files as followings:
%CommonFavorites%\_favdata.dat
%Temp%TMP35073.tmp
%Temp%TMP35042.tmp
%Temp%TMP34714.tmp
Created the registry key as following :
[HKEY_CURRENT_USERPrintersConnections] affid = "396
subid = "landing"
The following internet connections wil lbe established on port 80:
www.searchashamed.org
mediafullups.com
Two files will be downloaded from /a/ad that contains a malicious payload and here are the details.
The first file is known as Mal/EncPk-LZ (Sophos):
Create files as followings:
%Temp%dfrgsnapnt.exe
%Temp%eapp32hst.dll
%Temp%opwesitjh
%Temp%wscsvc32.exe
The following processed will be created or are affected:
dfrgsnapnt.exe
wscsvc32.exe
Several registry modifications will be done and the following URLs are used:
http://finderwid.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
http://searchashamed.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
http://mediafullunu.com/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok
http://searchashamed.org/any3/5-direct.ex
http://finderwid.org/any3/5-direct.ex
http://mediafullunu.com/any3/5-direct.ex
The second file is known asTrojan.FakeAV!gen31 (Symantec),Trojan.Win32.TDSS.beea (Kaspersky),Application.RogueAVPacker (PCTools).
Create files as followings:
%Temp%PRAGMA7e53.tmp
%Temp%PRAGMAab00.tmp
%Windir%PRAGMAvgobwwkuyuPRAGMAc.dll
%Windir%PRAGMAvgobwwkuyuPRAGMAcfg.ini
%Windir%PRAGMAvgobwwkuyuPRAGMAd.sys
%Windir%PRAGMAvgobwwkuyuPRAGMAsrcr.dat
Create directory as followings:
%Windir%PRAGMAvgobwwkuyu
The following Registry Keys were created: HKEY_LOCAL_MACHINESOFTWAREProgram Groups
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000Control
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000Control
HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMainfeaturecontrol
HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMainfeaturecontrolfeature_enable_ie_compression
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
HKEY_CURRENT_USERSoftwareClassesSoftwareMicrosoftPreferences
HKEY_CURRENT_USERSoftwareClasses.exe
HKEY_CURRENT_USERSoftwareClasses.exeDefaultIcon
HKEY_CURRENT_USERSoftwareClasses.exeshell
HKEY_CURRENT_USERSoftwareClasses.exeshellopen
HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand
HKEY_CURRENT_USERSoftwareClasses.exeshell
unas
HKEY_CURRENT_USERSoftwareClasses.exeshell
unascommand
HKEY_CURRENT_USERSoftwareClasses.exeshellstart
HKEY_CURRENT_USERSoftwareClasses.exeshellstartcommand
HKEY_CURRENT_USERSoftwareClassessecfile
HKEY_CURRENT_USERSoftwareClassessecfileDefaultIcon
HKEY_CURRENT_USERSoftwareClassessecfileshell
HKEY_CURRENT_USERSoftwareClassessecfileshellopen
HKEY_CURRENT_USERSoftwareClassessecfileshellopencommand
HKEY_CURRENT_USERSoftwareClassessecfileshell
unas
HKEY_CURRENT_USERSoftwareClassessecfileshell
unascommand
HKEY_CURRENT_USERSoftwareClassessecfileshellstart
HKEY_CURRENT_USERSoftwareClassessecfileshellstartcommand
HKEY_LOCAL_MACHINESOFTWAREPRAGMA
HKEY_LOCAL_MACHINESOFTWAREPRAGMAinjector
HKEY_LOCAL_MACHINESOFTWAREPRAGMAversions
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxb
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxbmodules
The newly created Registry Values are: [HKEY_LOCAL_MACHINESOFTWARE] f7c5da73-b4a5-4947-8f40-08f2871eb36b = ""
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem] DisableTaskMgr = 0x00000001
[HKEY_LOCAL_MACHINESOFTWAREProgram Groups] ConvertedToLinks = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000Control] *NewlyCreated* = 0x00000000
ActiveService = "PRAGMAibadstidxb"
[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000] Service = "PRAGMAibadstidxb"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "PRAGMAibadstidxb"
[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB] NextInstance = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000Control] *NewlyCreated* = 0x00000000
ActiveService = "PRAGMAibadstidxb"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000] Service = "PRAGMAibadstidxb"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "PRAGMAibadstidxb"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB] NextInstance = 0x00000001
[HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMainfeaturecontrolfeature_enable_ie_compression] svchost.exe = 0x00000001
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings] ProxyEnable = 0x00000000
[HKEY_CURRENT_USERPrintersConnections] time = 0x00000001
[HKEY_CURRENT_USERSoftware] 24d1ca9a-a864-4f7b-86fe-495eb56529d8 = ""
7bde84a2-f58f-46ec-9eac-f1f90fead080 = ""
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem] DisableTaskMgr = 0x00000001
to prevent users from starting Task Manager (Taskmgr.exe)
[HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand] (Default) = ""%Temp%mscdexnt.exe" /START "%1" %*"
IsolatedCommand = ""%1" %*"
[HKEY_CURRENT_USERSoftwareClasses.exeshell
unascommand] (Default) = ""%1" %*"
IsolatedCommand = ""%1" %*"
[HKEY_CURRENT_USERSoftwareClasses.exeshellstartcommand] (Default) = ""%1" %*"
IsolatedCommand = ""%1" %*"
[HKEY_CURRENT_USERSoftwareClasses.exeDefaultIcon] (Default) = "%1"
[HKEY_CURRENT_USERSoftwareClasses.exe] (Default) = "secfile"
Content Type = "application/x-msdownload"
[HKEY_CURRENT_USERSoftwareClassessecfileshellopencommand] (Default) = ""%Temp%mscdexnt.exe" /START "%1" %*"
IsolatedCommand = ""%1" %*"
[HKEY_CURRENT_USERSoftwareClassessecfileshell
unascommand] (Default) = ""%1" %*"
IsolatedCommand = ""%1" %*"
[HKEY_CURRENT_USERSoftwareClassessecfileshellstartcommand] (Default) = ""%1" %*"
IsolatedCommand = ""%1" %*"
[HKEY_CURRENT_USERSoftwareClassessecfileDefaultIcon] (Default) = "%1"
[HKEY_CURRENT_USERSoftwareClassessecfile] (Default) = "Application"
Content Type = "application/x-msdownload"
[HKEY_LOCAL_MACHINESOFTWAREPRAGMAversions] /css/pragma/crcmds/install = "3.0"
[HKEY_LOCAL_MACHINESOFTWAREPRAGMAinjector] explorer.exe = "pragmaserf"
iexplore.exe = "pragmaserf;pragmabbr"
firefox.exe = "pragmabbr"
safari.exe = "pragmabbr"
chrome.exe = "pragmabbr"
opera.exe = "pragmabbr"
[HKEY_LOCAL_MACHINESOFTWAREPRAGMA] affid = "391"
type = "no"
build = "no"
subid = "direct"
cmddelay = 0x00015180
[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxbmodules] PRAGMAd = "systemrootPRAGMAibadstidxbPRAGMAd.sys"
PRAGMAc = "systemrootPRAGMAibadstidxbPRAGMAc.dll"
pragmaserf = "pragmaserf"
pragmabbr = "pragmabbr"
[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxb] start = 0x00000001
type = 0x00000001
imagepath = "systemrootPRAGMAibadstidxbPRAGMAd.sys"
The following Registry Values were modified: [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent] (Default) =
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent] (Default) =
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders] Cache =
There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote Host Port Number 62.122.73.242 80 91.213.157.69 80 91.213.157.72 80
The data identified by the following URLs was then requested from the remote web server: http://searchdisup.org/css/pragma/knock.php
http://finderwid.org/readdatagateway.php?type=stats&affid=391&subid=new02&version=4.0&adwareok
http://finderwid.org/any/391-direct.ex
http://finderunt.org/css/pragma/crcmds/main
http://finderunt.org/css/pragma/knock.php
http://finderunt.org/css/pragma/srcr.dat
http://finderunt.org/css/pragma/crcmds/install
http://finderunt.org/css/pragma/crfiles/serf
http://finderunt.org/css/pragma/crfiles/bbr
2. How-to's
1. Please updatethe policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security. .
2. How to Remove TR.Crypt.ZPACK.Gen Manually?
Remove the registry entries hidden by TR.Crypt.ZPACK.Gen (Free online spyware scan)
If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion RunServicesOnce
HKEY_CURRENT_USER/SoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies ExplorerRun
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion
Explorer/ShellFolders Startup="C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\windows/start menu/programs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\startup
It is possibly a way to load the "TR.Crypt.ZPACK.Gen" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.
Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored.
3. How to Remove Trojan.FakeAV!gen31 Manually?
Remove the registry entries hidden by Trojan.Win32.Tdss.beea [removed][removed] [removed][removed]
If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion RunServicesOnce
HKEY_CURRENT_USER/SoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies ExplorerRun
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion
Explorer/ShellFolders Startup="C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\windows/start menu/programs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\startup
It is possibly a way to load the "Trojan.Win32.Tdss.beea" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.
Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored.
4. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm
How to Detect and Rmove the TR/Crypt.ZPACK.Gen Trojan
By: andy.J